Hi Folks,
I'm having a problem that I'm going to go bald trying to solve, it seems...
I've been tasked with creating a single searchable suffix for two different trees (dc=one,dc=com and dc=two,dc=com for arguments sake). The application that needs this suffix doesn't deal with referals, so my first (and the obvious, I thought) solution won't work.
I delved into the Administrator's Guide and discovered the section on chained suffixes (ie., Directory Links), and it seems good. The problem? I can't make it work right.
On a test server, I've set up a "master" suffix, "dc=com", and created directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added the proxy ACI on the One and Two LDAP directories. When I search the test server, I can successfully find objects in the One tree, so it's half working -- but the Two tree doesn't work. I've check and re-checked and everything appears kosher.
Am I barking up the wrong tree? Is there an easier way to do this? Should I give up and take up basket weaving as a nice, harmless job, and forget systems administration altogether?
Any help or suggestions would be appreciated.
Ben Steeves wrote:
Hi Folks,
I'm having a problem that I'm going to go bald trying to solve, it seems...
I've been tasked with creating a single searchable suffix for two different trees (dc=one,dc=com and dc=two,dc=com for arguments sake). The application that needs this suffix doesn't deal with referals, so my first (and the obvious, I thought) solution won't work.
I delved into the Administrator's Guide and discovered the section on chained suffixes (ie., Directory Links), and it seems good. The problem? I can't make it work right.
On a test server, I've set up a "master" suffix, "dc=com", and created directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added the proxy ACI on the One and Two LDAP directories. When I search the test server, I can successfully find objects in the One tree, so it's half working -- but the Two tree doesn't work. I've check and re-checked and everything appears kosher.
Does the other LDAP server have dc=com and two sub suffixes dc=one,dc=com and dc=two,dc=com? Each with their own "real" database?
Am I barking up the wrong tree? Is there an easier way to do this? Should I give up and take up basket weaving as a nice, harmless job, and forget systems administration altogether?
It's difficult to say for sure without reviewing all of your configuration.
Any help or suggestions would be appreciated.
On 5/29/06, Richard Megginson rmeggins@redhat.com wrote:
On a test server, I've set up a "master" suffix, "dc=com", and created directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added the proxy ACI on the One and Two LDAP directories. When I search the test server, I can successfully find objects in the One tree, so it's half working -- but the Two tree doesn't work. I've check and re-checked and everything appears kosher.
Does the other LDAP server have dc=com and two sub suffixes dc=one,dc=com and dc=two,dc=com? Each with their own "real" database?
Thanks for taking the time to reply, Richard...
The server with the real databases has two suffixes: "dc=one,dc=com" and "dc=two,dc=com". "dc=com" doesn't exist. Both suffixes have real databaes and work if I query them individually.
I wouldn't be so frustrated if nothing was working, but the fact that searching with a base of "dc=com" for a UID that appears in "dc=one,dc=com" works but searching for a UID that appears in "dc=two,dc=com" doesn't is what's really bugging me. I went so far as deleting the "dc=one,dc=com" link, but the Two link still doesn't work, even if it's the only one. The root ACIs on One and Two are exactly the same (with the obvious changes for the different suffixes of course).
Am I barking up the wrong tree? Is there an easier way to do this? Should I give up and take up basket weaving as a nice, harmless job, and forget systems administration altogether?
It's difficult to say for sure without reviewing all of your configuration.
Anything semi-specific you'd be curious about?
Ben Steeves wrote:
On 5/29/06, Richard Megginson rmeggins@redhat.com wrote:
On a test server, I've set up a "master" suffix, "dc=com", and created directory links to "dc=one,dc=com" and "dc=two,dc=com". I've added the proxy ACI on the One and Two LDAP directories. When I search the test server, I can successfully find objects in the One tree, so it's half working -- but the Two tree doesn't work. I've check and re-checked and everything appears kosher.
Does the other LDAP server have dc=com and two sub suffixes dc=one,dc=com and dc=two,dc=com? Each with their own "real" database?
Thanks for taking the time to reply, Richard...
The server with the real databases has two suffixes: "dc=one,dc=com" and "dc=two,dc=com". "dc=com" doesn't exist. Both suffixes have real databaes and work if I query them individually.
I wouldn't be so frustrated if nothing was working, but the fact that searching with a base of "dc=com" for a UID that appears in "dc=one,dc=com" works but searching for a UID that appears in "dc=two,dc=com" doesn't is what's really bugging me. I went so far as deleting the "dc=one,dc=com" link, but the Two link still doesn't work, even if it's the only one. The root ACIs on One and Two are exactly the same (with the obvious changes for the different suffixes of course).
You could try enabling the trace level logging and the plugin level logging for the error log - perhaps there is a clue in the error log.
Am I barking up the wrong tree? Is there an easier way to do this? Should I give up and take up basket weaving as a nice, harmless job, and forget systems administration altogether?
It's difficult to say for sure without reviewing all of your configuration.
Anything semi-specific you'd be curious about?
On 5/31/06, Richard Megginson rmeggins@redhat.com wrote:
I wouldn't be so frustrated if nothing was working, but the fact that searching with a base of "dc=com" for a UID that appears in "dc=one,dc=com" works but searching for a UID that appears in "dc=two,dc=com" doesn't is what's really bugging me. I went so far as deleting the "dc=one,dc=com" link, but the Two link still doesn't work, even if it's the only one. The root ACIs on One and Two are exactly the same (with the obvious changes for the different suffixes of course).
You could try enabling the trace level logging and the plugin level logging for the error log - perhaps there is a clue in the error log.
I turned on every bit of logging I could find and there were no substantive differences in the logs between a successful search on domain One with an unsuccessful search on domain Two except for where the result was passed back -- no errors or anything.
I'm beginning to suspect the problem lies in the fact that the "target" directories are running Sun One DS 5.1 -- I'm going to install an FDS test server and replicate the data there and try again.
389-users@lists.fedoraproject.org